On Tuesday, FireEye Mandiant announced the introduction of an open source platform intended to audit tenants of Microsoft 365 for the use of UNC2452-related techniques, the name currently given by the cybersecurity firm to the vulnerability community that targeted SolarWinds, an IT management organisation.
Hundreds of injuries have been triggered by the SolarWinds supply chain attack, and potentially affected entities should monitor their networks for signs of this attack-related interference. In the other hand, in the event that they are attacked in the future, it is also necessary for organisations not harmed by the incident to learn the expertise and tools required to identify and neutralise these types of attacks, particularly because other threat actors are likely to take inspiration from the UNC2452 playbook for their future operations.
To pursue its aims, UNC2452 has used some innovative strategies. In terms of transferring laterally from on-premises networks to Microsoft cloud systems, FireEye claims the attackers used a combination of four key techniques, including theft of token-signing certificates from Active Directory Federation Services (AD FS) for authentication to targeted user accounts, development of backdoors from Azure AD, synchronisation of passwords for high-privileged on-premises accounts
Mandiant’s latest application, called Azure AD Investigator, helps companies to search their Microsoft cloud environments for signs of an intrusion and warns compliance departments if objects that could need further analysis are found.
In certain situations, FireEye has emphasised that a manual analysis will be needed as some of the items discovered by the instrument may be linked to legal activities.
“The aim of this resource is to empower organisations with the particular methodologies that our Mandiant experts see from how the attacker gets to the cloud from on-site and what does that even look like, to the four core techniques we’ve seen from the attack group,” said. “This is intended to provide a description of the technique, but also to identify the goals and why this should be important to an organisation, in other words, why they should care that attackers do this.”
The source code of the Azure AD Investigator is available on GitHub.
In addition to the tool, a white paper called “Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452” was released by FireEye on Tuesday, which shares guidance on how organisations should prevent and resolve future attacks targeting their Microsoft 365 environments. The organisation claims that the paper includes guidelines on remediation to organisations impacted by UNC2452, hardening guidance for those not harmed, and guidance on identification that can be helpful to all.
There has been a lot of knowledge spread out there that makes it impossible for firms to decide what they need to do to investigate their climate or proactively harden against it in order to fix it. This whitepaper, Bienstock said, is intended to act as the playbook.